ISO/IEC 42001 / A.10.1

A.10.1: Third-Party AI Relationships

Manage supplier risk for third-party AI components.

Last reviewed June 2026

Problem

The gap A.10.1 closes

Third-Party AI Relationships sits in the third party surface, and ISO/IEC 42001 rates it high. Manage supplier risk for third-party AI components. For teams shipping LLM and agentic features, a control like this is only as good as the evidence that it was actually tested - an unverified control is a finding waiting for an auditor.

How Penaxtra approaches it

How Penaxtra delivers A.10.1

Penaxtra turns this ISO/IEC 42001 obligation into testable, recurring evidence: scheduled scans and posture checks produce findings tied to A.10.1, and the append-only audit log records what was tested and when, which is exactly what an assessor asks for. Every relevant finding is created with the ISO/IEC 42001 A.10.1 identifier already attached, so it lands in the audit-evidence pack mapped to the control rather than as a screenshot someone has to translate later. Where the same weakness touches another framework, the cross-framework overlap means one finding satisfies several control cells at once.

Technical capabilities

A.10.1 capabilities

Probe and check coverage aligned to A

10.1 (Third-Party AI Relationships).

Findings tagged with the ISO/IEC 42001 A

10.1 control identifier.

Severity context (ISO/IEC 42001 rates this high)

Cross-framework overlap so one finding maps to several control cells

PDF and JSON audit-evidence export with the control id attached

Compliance mapping

A.10.1 compliance mapping

Findings for A.10.1 carry the ISO/IEC 42001 A.10.1 identifier and cross-map to the related controls in the other five frameworks Penaxtra covers.

FAQ

Frequently asked

What is A.10.1 (Third-Party AI Relationships)?

Manage supplier risk for third-party AI components. It is part of ISO/IEC 42001, rated high.

How does Penaxtra test for A.10.1?

Penaxtra turns this ISO/IEC 42001 obligation into testable, recurring evidence: scheduled scans and posture checks produce findings tied to A.10.1, and the append-only audit log records what was tested and when, which is exactly what an assessor asks for.

Does a finding for A.10.1 help with an audit?

Yes. Each finding is tagged with the ISO/IEC 42001 A.10.1 control identifier and exported in the PDF and JSON evidence pack, so it maps straight onto the auditor control list instead of needing manual translation.

Related

Explore further

ISO/IEC 42001 overview A.10.2 Customer-Facing AI Disclosures A.5.1 AI System Policies OWASP LLM, Agentic and MITRE ATLAS ID crosswalk AI-SPM platform overview

Request a demo

Scoped walkthrough of the ISO/IEC 42001 / A.10.1 surface against your environment. No credit card.

Request a demo Explore AI-SPM platform